Author
Topic: TrueCrypt is Now Abandonware?! (Read 21502 times)

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

Whatever the case, I guess a lot of folks will now be scrambling for a new encryption program.

Change "will now be" to "are" and you're spot on the sugar.

But seriously...who knows?

If TrueCrypt works - but people start distrusting and ultimately abandon it - the spooks win.

If the spooks already own it, they'll just slip something else in (because there's always a Plan-B with those guys) so they win again.

The big problem is we're using technology that wasn't intended or designed to be secure. And everything we do to try to make it secure is bolted and duct taped on.

If we're serious, the entire global network - and probably at least 85% of the rest of our computer technology - needs to be re-engineered from the ground up.

Problem is, with a project that massive, gremlins and backdoors are bound to sneak in. And the disruption and expense such a project would entail - and the degree of cooperation and gooodwill needed to keep it from becoming a joke - makes it unlikely to the point of "that is so not gonna happen."

Besides - signal privacy and security aren't technical problems - they're "people problems." And as long as invasions of privacy are tolerated (when not condoned) somebody somewhere will try snooping.

"The Sourceforge project page for Truecrypt now sports a cryptographically signed notice that Truecrypt should no longer be used as it is not secure. The news came on the heels of a crowdfunded $70K security audit of the open source, anonymously maintained software giving it a relatively positive initial diagnosis. The announcement -- signed by the same key that has been used to sign previous, legitimate updates -- links Truecrypt's deprecation to Microsoft's decision to cease supporting Windows XP, though no one seems to have a theory about how these two facts relate to one another."

^I think it's less it's being seen as terrifying and more as a nasty and serious problem that needs to be solved. And pronto. At least on the part of the people with sufficient mathematical and technical chops to pull it off.

Unfortunately, finding that new encryption algorithm may prove trickier than originally thought. Look here.

^I think it's less it's being seen as terrifying and more as a nasty and serious problem that needs to be solved. And pronto. At least on the part of the people with sufficient mathematical and technical chops to pull it off.

Unfortunately, finding that new encryption algorithm may prove trickier than originally thought. Look here.

And what if Glenn Greenwald's partner had TrueCrypt info when he was intercepted in London?

In that case, this is all just theatre, and we're being played like a fiddle. What then? What agenda?

Based on the wording of its license, there was always a question mark surrounding the open source-ness of Truecrypt. But that’s not the topic of this brief article. What prompted me to write this is an article that appeared in the Washington Post suggesting that TrueCrypt may have seen its last days as an (“open source”) software project.

TrueCrypt was a cross-platform (Linux, Mac OS X, and Windows) disk encryption software. The last article I wrote about it on this website was Should Truecrypt be audited?.

A quick trip to the project’s website, or what used to be the project’s website, confirmed the gist of the Washington Post article. If you try to visit http://truecrypt, you’ll actually be redirected to http://truecrypt.sourceforge.net. And the only conclusion that I can draw by looking at the contents of the website is that TrueCrypt is dead. Microsoft Windows users are encouraged to migrate to BitLocker, that operating system’s disk encryption utility, while Linux users are encouraged to “use any integrated support for encryption.” The latest download links are only for users “migrating data encrypted by TrueCrypt.” That really seals it. YoucannotencryptadiskusingthelatestversionofTrueCrypt, onlydecrypt.

1. The developer of TrueCrypt has decided it is no longer worth continuing development since every modern OS supports hard drive encryption natively, making TrueCrypt redundant. Use the OS's native encryption instead of TrueCrypt. That's what this means:

Quote

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images

To reiterate: It means that TrueCrypt filled a need in XP because XP didn't support encrypted disks (or at least not to the extent that TrueCrypt provided). But now that Windows XP is a "dead" OS, everybody (who uses Windows) should be on Vista or newer. Vista or newer all support encrypted disks, so use the OS's integrated encryption.

That's why it gives so much detail on how to enable encryption on the OS level (BitLocker or whatever it's called).

2. Since 7.2 is the final release of TrueCrypt, that means that this latest version (7.2) will be the last update of TrueCrypt that people will be able to find on the internet. As such, 5 years from now when 7.2 is still the "latest version" and security flaws are found or encryption breaking/cracking schemes advance enough to make breaking the encryption in TrueCrypt trivial, people should be aware that it is not a secure program. In other words, TrueCrypt is no less secure in 7.2 than it was in 7.1a. It just has a warning now about its inevitable insecurityin the future.

Or, in other words, to avoid having to release an update in a few years when TrueCrypt truly is no longer secure due to not being developed, the developer just put one in there right now so he can be done with it.

To put it yet another way, the developer can feel like he is being morally responsible by putting that warning in there now so that he won't feel accountable for the actions of some idiot who in X years tries to use it while thinking that encryption is magical security.

Of course, I'm no security expert. I could be wrong about all this. But that's how I see it from reading the warning.

Then I think I still was mostly right, but somehow missed that important detail. I think the developer did what he felt was the morally right thing by making sure nobody would use his abandonware security software since security is an ongoing process and just the fact that it is no longer being developed will make it insecure relatively quickly.